I use the standard kerberos "kinit" tool to get my TGT, this is successful.
I use the standard openldap "ldapsearch" tool to attempt to do a
LDAP+GSSAPI over TLS (cert level "demand") search, and I get two
errors.

The first error is an "inappropriate auth", which seems to come from openldap.
The second error is "Cannot start kerberos signing/sealing when using
TLS/SSL", which seems to come from GSSAPI-land.

Interesting facts:

- This fails against Windows 2003 AD.

Questions about why Microsoft AD is broken belong in a Microsoft forum.